If a DN has an embedded comma, it needs to be escaped with a backslash or else the system will assume it is like all the other commas separating RDNs in the DN. Possibly ldapsearch is doing something with the query filter, you can validate that with some network sniffing package. Here is another tool executing the same type of query. As you can see the embedded comma works fine with the escape whereas not using the escaped comma or no comma at all results in failure.
[Thu 09/03/2009 12:51:16.80] G:\Temp\transfer>adfind -default -rb ou=users-active -f "(&(objectcategory=group)(member=CN=Sturgis\, Grant,OU=Users-Active,DC=test,DC=loc))" -tdcas -samdc AdFind V01.40.00cpp Joe Richards ([email protected]) February 2009 Using server: r2dc1.test.loc:389 Directory: Windows Server 2003 Base DN: ou=users-active,DC=test,DC=loc dn:CN=group1,OU=Users-Active,DC=test,DC=loc >objectClass: top >objectClass: group >cn: group1 >member: CN=Sturgis\, Grant,OU=Users-Active,DC=test,DC=loc >distinguishedName: CN=group1,OU=Users-Active,DC=test,DC=loc >instanceType: 4 >whenCreated: 2009/09/03-12:48:22 Eastern Daylight Time >whenChanged: 2009/09/03-12:48:22 Eastern Daylight Time >uSNCreated: 3464099 >uSNChanged: 3464101 >name: group1 >objectGUID: {9C013F29-C23E-41DB-A1F9-BAED5DE34336} >objectSid: S-1-5-21-91850410-1263060417-3577111226-24885 >sAMAccountName: $L9O000-1RT63P9FJKCR >sAMAccountType: 268435456 [GROUP(268435456)] >groupType: -2147483646 [GLOBAL(2);SECURITY(2147483648)] >objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=test,DC=loc 1 Objects returned [Thu 09/03/2009 12:51:23.76] G:\Temp\transfer>adfind -default -rb ou=users-active -f "(&(objectcategory=group)(member=CN=Sturgis Grant,OU=Users-Active,DC=test,DC=loc))" -tdcas -samdc AdFind V01.40.00cpp Joe Richards ([email protected]) February 2009 Using server: r2dc1.test.loc:389 Directory: Windows Server 2003 Base DN: ou=users-active,DC=test,DC=loc 0 Objects returned [Thu 09/03/2009 12:53:04.90] G:\Temp\transfer>adfind -default -rb ou=users-active -f "(&(objectcategory=group)(member=CN=Sturgis, Grant,OU=Users-Active,DC=test,DC=loc))" -tdcas -samdc AdFind V01.40.00cpp Joe Richards ([email protected]) February 2009 Using server: r2dc1.test.loc:389 Directory: Windows Server 2003 Base DN: ou=users-active,DC=test,DC=loc 0 Objects returned joe -- O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Sturgis, Grant Sent: Thursday, September 03, 2009 12:18 PM To: [email protected] Subject: [ldap] Allowable Characters Question Greetings, I'm having some confusion trying to integrate an Oracle product with our AD infrastructure, and I think it's coming down to allowable characters. When I do something like this: ldapsearch -x -D cn=nobody,ou=Users-IT,dc=domain,dc=com -w password -h dc.domain.com -s sub -b 'ou=Users-Active,dc=domain,dc=com' "(objectClass=group)" I get a list of groups in that OU and the attributes of those groups, including members. Because the cn of our users are Last, First - that is how they are listed, but with a backslash presumably escaping the comma, like this: member: CN=Sturgis\, Grant,OU=Users-Active,DC=domain,DC=com What I really want to do, is an AND query for group and member, and I would guess it should be like this: ldapsearch -x -D cn=nobody,ou=Users-IT,dc=domain,dc=com -w password -h dc.domain.com -s sub -b 'ou=Users-Active,dc=domain,dc=com' "(&(objectclass=group)(member=CN=Sturgis\, Grant,OU=Users-Active,DC=domain,DC=com))" The result is: ldapsearch: ldap_search_ext: Bad search filter (-7) I've noticed that if I change the cn by removing the comma, then changing the query to: ldapsearch -x -D cn=nobody,ou=Users-IT,dc=domain,dc=com -w password -h dc.domain.com -s sub -b 'ou=Users-Active,dc=domain,dc=com' "(&(objectclass=group)(member=CN=Sturgis Grant,OU=Users-Active,DC=domain,DC=com))" It works fine. Any comments on commas and backslash escaped commas? Are these illegal LDAP characters or known problems? Any other words of advice? Many thanks, Grant ------------- Pardon this rubbish: This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
